.TH GVM-MANAGE-CERTS "1" "2015-09-21" "The OpenVAS Project" "User manual for the Open Vulnerability Assessment System (OpenVAS)"
.SH NAME
gvm-manage-certs \- manage certificate infrastructure for a GVM installation
.SH SYNOPSIS
.B gvm-manage-certs
[\fIOPTION\fR]...
.SH DESCRIPTION
.B gvm-manage-certs
manages the certificate infrastructure for a GVM installation.
The certificate infrastructure enables GVM daemons to communicate in a
secure manner and is used for authentication and authorization before
establishing TLS connections between the daemons.
.PP
The GVM certificate infrastructure consists of a certificate authority (CA)
which is trusted by all GVM daemons.
This CA is then used to sign certificates used by the various daemons.
The certificates can be divided into two use cases:
.IP \(bu 3
Server certificates, primarily used for authentication
.IP \(bu 3
Client certificates, primarily used for authorization
.PP
.B gvm-manage-certs
can perform an automatic creation of a default certificate infrastructure for a
standard GVM installation.
It can also verify an existing infrastructure and perform various certificate
related tasks to support the setup of a more complex infrastructure.
.SH OPTIONS
.SS "Certificate infrastructure management"
.TP
\fB\-a\fR
Automatically set up default infrastructure for GVM
.TP
\fB\-V\fR
Verify existing GVM certificate infrastructure
.TP
\fB\-C\fR
Create a certificate authority (CA)
.TP
\fB\-R\fR
Create a certificate request for a CA
.TP
\fB\-r\fR
Create a certificate request for a CA and sign it
.TP
\fB\-C\fR
Create a certificate authority (CA)
.TP
\fB\-I\fR
Install a CA certificate
.TP
\fB\-c\fR
Create a certificate request and sign it
.TP
\fB\-i\fR
Install a certificate
.TP
\fB\-S\fR
Sign a certificate request
.TP
\fB\-f\fR
Force overwriting of existing files
.SS "Certificate options"
.TP
\fB\-E\fR
Create a server certificate.
This sets the appropriate key usage constraints for a server certificate.
.TP
\fB\-L\fR
Create a client certificate.
This sets the appropriate key usage constraints for a client certificate.
.TP
\fB\-A\fR
Skip CA generation in automatic mode.
This automatically (re-)generates server and client certificates, but keeps the CA certificate.
.SS "Configuration"
\fB\-e\fR \fIfile\fR
Read configuration from
.IR file
(see below for configuration details)
.SS "Output control"
.TP
\fB\-d\fR
Print debug output
.TP
\fB\-v\fR
Print verbose messages
.TP
\fB\-q\fR
Be quiet, only print error messages
.SS "Other options"
.TP
\fB\-h\fR
Print help
.SH "EXIT STATUS"
.TP
.B 0
The requested operation was successfully performed.
.TP
.B 1
An error occurred, the requested operation could not be performed.
.SH ENVIRONMENT
All certificate generation options can be set either through the configuration
file or through environment variables like the following:
.TP
GVM_CERTIFICATE_LIFETIME
Days until the certificate will expire
.TP
GVM_CERTIFICATE_HOSTNAME
Name to use for the certificate
.TP
GVM_CERTIFICATE_SIGNALG
Hash algorithm to use for signing
.TP
GVM_CERTIFICATE_KEYSIZE
Size in bits of the generated key
.TP
GVM_CERTIFICATE_SECPARAM
GnuTLS security level [low|medium|high|ultra]
.TP
GVM_CERT_DIR
Directory where keys and certificates are stored before installation
.TP
GVM_CERT_PREFIX
Prefix for certificate filename (e.g. "server")
.PP
For a complete list of options, please refer to the example configuration file
included in the documentation.
.SH "SEE ALSO"
.BR openvas (8),
.BR gvmd (8),
.BR gsad (8)
